President Obama calls for federal data breach notification legislation as US military accounts are hacked

In spite of the fact that, according to our calculations, the last 14 months saw the compromise of more personal records than there are US citizens, there is still no single federal law obliging breached organizations to notify affected individuals when their personal information is affected. President Obama aims to change that.

Presidential focus on cybersecurity

Speaking at the Federal Trade Commission Monday as part of a weeklong focus on cybersecurity, the President renewed calls for a federal breach notification law, saying that the current patchwork of state data breach notification laws is confusing and costly for companies that do business across the US.

He acknowledged that the Internet brought risks as well as benefits: “If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business”.

He went on: “…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”.

Personal Data Notification and Protection Act

The proposed Personal Data Notification and Protection Act will require American companies to notify affected individuals within 30 days of their personal information being lost in online breaches.

President Obama has attempted to introduce similar legislation before, only to be stymied by Congress. The President called for the House’s support this time: “…this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue. This should be something that unites all of us as Americans.”

Centcom hack

Meanwhile, presumably timed to coincide with the President’s speech, the Twitter and YouTube accounts of Centcom – the US military Central Command in the Middle East and Central Asia – were hacked by Islamic State supporters. Central Command said it was “an act of vandalism”, and that no classified information had been affected. Both accounts were taken down within an hour of the attack.

Compliance

Until the Personal Data Notification and Protection Act is enacted, organizations across the US must comply with 47 individual state data breach notification laws. Details can be found here >>

The best way to do so is to implement and maintain an information security management system (ISMS) as laid out in the international information security management standard ISO 27001.

ISO 27001 presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.

The additional external validation demonstrated by accredited certification to ISO 27001 will improve an organization’s cybersecurity posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.

IT Governance has created four ISO 27001 implementation solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.